Introduction of FirewallD tool in CentOS Linux

The FirewallD tool is a control shell for iptables that is used to create static network traffic rules. This tool, which can be used both via the command line and through a graphical user interface, is available in the sources of many Linux distributions. Working with the FirewallD tool compared to using iptables directly has two main differences.

• FirewallD uses zones and services instead of chains and rules.
• The management of the set of rules is dynamic. In the sense that it allows the update without disturbing the current status and connection.

Note: FirewallD is a shell for iptables that makes it easier to manage its rules. Therefore, it is not a replacement for iptables. Of course, you can still use iptables commands in the FirewallD tool; But it is recommended that you only use the FirewallD command in FirewallD.

In this article, we intend to introduce you to the FirewallD tool, the concept of its areas and services, and some basic settings. Stay with us.

Installing and managing the FirewallD tool

FirewallD tool is present by default in CentOS 7 Linux operating system, but it is disabled. Its control will be the same as other parts of systemd.

To start the service and enable FirewallD at system startup, we have:

The following commands are also used to stop and disable this service.

Check the firewall status. The output should show whether the service is running or not.

To view the status of the FirewallD tool, we have:

Sample output

To reload the FirewallD utility settings, type the following command.

FirewallD settings

The FirewallD tool is configured using XML files. Of course, you don’t need to change them unless you need a special configuration, and you should use firewall-cmd instead.

The configuration files are located in two directories.

• /usr/lib/FirewallD contains settings such as default zones and common services. Be sure to avoid updating them; Because these files will change every time the firewalld package is updated.
• /etc/firewalld contains system configuration files. These files are written as default settings.

A set of settings

The Firewalld tool uses two sets or series of settings; Instant (Runtime) and Permanent (Permanent) settings. Momentary settings are not saved after restarting FirewallD. This means that permanent changes will not be implemented for a system.

By default, firewall-cmd commands apply the current settings. But if you use the -permanent option in the command, the settings will be made permanently. To add and activate a permanent rule, you can use one of these two methods.

1) Adding the rule to both the current and permanent configuration series

2) Adding the rule to the series of permanent settings and restarting the FirewallD tool

tip

The reload command deletes all the current and momentary settings and applies the default settings. Of course, due to the dynamic nature of firewalld management, current situations and connections are not disrupted.

Firewall zones

Areas or zones are a set of predefined rules for different levels of assurance and are used for certain points or scenarios. After enabling the FirewallD tool for the first time, the default zone will be “Public”.

Zones can also be applied to different network user interfaces. For example, if there are two separate user interfaces for the internal network and the Internet, you can allow the DHCP protocol in the internal network, but allow only HTTP and SSH in the external area. Any user interface that does not have a specific region assigned to it will join the default region.

To view the default area we have:

To change the default region, the following command is used.

To see the areas used by the interface or network interfaces:

Sample output

To get all available settings for a particular zone, type the following command.

Sample output

And to get all available settings for all regions:

Sample output

Work with services

The FirewallD tool can allow incoming traffic based on predefined rules for specific network services. You can create custom service rules yourself and apply them to each of the areas. Configuration files for default services are located in /usr/lib/firewalld/services and configuration files for user-defined services are located in /etc/firewalld/services.

Use the following command to view the default available services.

An example to enable and disable the HTTP service

Allow an arbitrary port or protocol

For example, to allow or deny traffic to port 12345 we have:

Port reference

The following example shows forwarding port 80 traffic to port 12345 on the same server.

To direct the traffic of a port to a different server, the following method is used.

1) Activate the masking mode or masquerade in a desired area

2) Adding the referral rule. In this example, local port 80 traffic is forwarded to port 8080 on a remote server at IP address 198.51.100.0.

You can replace -add with -remove to remove the rule. For example:

Create a series of rules or Ruleset with FirewallD tool

As an example, here we use the FirewallD tool to add basic rules to the server.

Add the dmz zone as the default zone to eth0. This area is considered as the best option to start working with FirewallD application; Because it allows only SSH and ICMP protocols to enter.

Add service default rule for HTTP and HTTPS for dmz zone

Now you need to restart the FirewallD tool for the changes to take effect.

If you run the firewall-cmd –zone=dmz –list-all command, you will probably see the following output.

This output tells us that the dmz zone is the default zone and is used for the eth0 interface, all network resources and ports. HTTP (port 80), HTTPS (port 443) and SSH (port 22) incoming traffic will be allowed and since there is no restriction on IP versions, this is done for both IPv4 and IPv6 protocols. There will be no port forwarding. No ICMP traffic is allowed. Also, all outgoing traffic is allowed.

advanced settings

Services and ports are suitable for basic configuration. But at the same time, they can limit the work for advanced scenarios. Tools called Rich Rules and Direct Interface allow you to add completely custom rules to the firewall for any zone and with any port and protocol.

Rich Rules

The rich rules format is very extensive, which is fully explained in the firewalld.richlanguage help page. At the same time, you can manage it using the –add-rich-rule, –list-rich-rules and –remove-rich-rule options in the firewall-cmd command.

Here are some of the most common examples.

Allow IPv4 traffic from host 192.0.2.0

Block IPv4 traffic over TCP from host 192.0.2.0 to port 22

Allow IPv4 traffic through TCP from host 192.0.2.0 to port 80 and refer it to port 6532

Forward all IPv4 traffic on port 80 to port 8080 on host 198.51.100.0 (masquerade must be enabled in the zone).

To view all the Rich Rules in the public area, we have:

Direct iptables user interface

For professional iptables users, the FirewallD tool provides a direct user interface that provides the execution of raw iptables commands. These rules will not be permanent; Unless they are combined with the -permanent option.

Use the following commands to view all chains or rules added to FirewallD.

Of course, the topic of iptables templates in the FirewallD tool is beyond the educational discussion in this article, and you may want to get help from the following sources for more information.